Subscribe to Running With Scissors

Hacking, policy, advocacy, and the sharp end of security research. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.

Check your inbox

A confirmation link has been sent to your email.

Sign in Subscribe
By Disclose.io in Tools

disclose.io/platforms: a community-maintained list of every bug bounty and VDP platform we know about

A single, canonical, community-maintained list of every bug bounty and vulnerability disclosure platform we know about — global, regional, and vertical-specific. Vendor-agnostic by design.

disclose.io/platforms: a community-maintained list of every bug bounty and VDP platform we know about

Ask ten hunters where they prefer to work and you'll hear probably hear the same four or five names. Ask which platforms exist in total and the room goes quiet — because nobody has the full list, and the list keeps changing.

disclose.io/platforms is our attempt to fix that. It's a single, canonical, community-maintained list of every known bug bounty platform, vulnerability disclosure platform, and crowdsourced security platform — not just the big-four US-and-Europe players, but the regional ones, the vertical-specific ones, the Web3 specialists, and the ones you've never heard of because they operate in a language you don't read.

What's on the page

The page pulls directly from the open disclose/bug-bounty-platforms repository. Every row is one platform, with columns for:

  • Platform name and URL — where to go to learn more or sign up
  • Primary region or market — US, EU, APAC, LATAM, or global
  • Type — VDP-only, public bug bounty, private bug bounty, crowdsourced pentest, Web3/crypto-specific, etc.
  • Notes — anything distinctive about the program (language coverage, specialized verticals, unusual features)

The table sorts and filters in the browser. You can find every Asia-Pacific platform in two clicks, or every Web3-focused one, or every platform with Spanish-language support for LATAM programs.

Why this matters, two ways

If you're a researcher, the biggest return on this page is diversification. Most hunters get comfortable on one or two platforms, which is fine until the program quality drops, the payouts slow down, or your specialization stops matching the work on offer. Knowing the full market — including the quieter regional players — gives you alternatives. Some of the strongest programs for specific verticals (industrial control systems, automotive, financial services in specific jurisdictions) don't run on the platforms you've heard of, because the platforms you've heard of don't serve those markets well.

If you're a vendor shopping for a platform — or renewing your contract and wondering if there's a better fit — the page is a market map. You'd be surprised how many buyers discover the alternatives list only after they've signed with the first platform they talked to. The page exists in part to make that an avoidable mistake.

And if you're a researcher in a region where the big platforms don't operate, or don't operate well, the regional options matter enormously. One of the goals of this page is to give those platforms equal billing — because the work they do is as legitimate as the work their larger counterparts do, and much of the world's infrastructure is served by them.

It's open — fix what's wrong

The page is a rendered view of a markdown table in a public repo. If a platform is missing, if a URL has changed, if a column value is out of date, the "Improve this page" link on disclose.io/platforms goes straight to the GitHub edit view. Change the row, open a pull request, and the next build of the site picks it up.

This is the same pattern the rest of the disclose.io ecosystem runs on — the directory, the research threats archive, the policy templates in dioterms. We don't run any of these as a walled garden; they're community-maintained reference data, and they only stay accurate because the community maintains them.

What we explicitly do not do

No rankings. No stars. No "best platform" award. The page is a list, not a scorecard. We take an explicit vendor-agnostic stance across the disclose.io project, and the platforms page is where that stance is most visible — because it's the page where we had the most opportunity to editorialize and chose not to.

That doesn't mean platforms are interchangeable; they aren't, and your choice of platform matters a lot for both researchers and buyers. It means that the evaluation work belongs with the people making the decision, not with us.

Start here

Two use cases:

  • Finding a new platform to hunt on? Sort by your region or vertical, find 2–3 you haven't tried, spend a couple of hours reading their public programs to see what's live.
  • Choosing a platform for your program? Filter by region and type, shortlist the ones that fit your market, and go run pilots with the top two.

Either way, the full list is live. If something's wrong on it, fix it — that's what the edit link is for.

Previous

Policy Pulse - Issue #14 | Week of May 9, 2026

You might also like...